Endpoints
These windows enable you to configure and manage endpoints that connect to your network.
Endpoint Settings
Field Name |
Usage Guidelines |
---|---|
MAC Address |
Enter the MAC address in hexadecimal format to create an endpoint statically. The MAC address is the device identifier for the interface that is connected to the Cisco ISE enabled network. |
Static Assignment |
Check this check box when you want to create an endpoint statically in the Endpoints window and the status of static assignment is set to static. You can toggle the status of static assignment of an endpoint from static to dynamic or from dynamic to static. |
Policy Assignment |
(Disabled by default unless the Static Assignment is checked) Choose a matching endpoint policy from the Policy Assignment drop-down list. You can do one of the following:
|
Static Group Assignment |
Check this check box when you want to assign an endpoint to an identity group statically. In you check this check box, the profiling service does not change the endpoint identity group the next time during evaluation of the endpoint policy for these endpoints, which were previously assigned dynamically to other endpoint identity groups. If you uncheck this check box, then the endpoint identity group is dynamic as assigned by the ISE profiler based on policy configuration. If you do not choose the Static Group Assignment option, then the endpoint is automatically assigned to the matching identity group the next time during evaluation of the endpoint policy. |
Identity Group Assignment |
Choose an endpoint identity group to which you want to assign the endpoint. You can assign an endpoint to an identity group when you create an endpoint statically, or when you do not want to use the Create Matching Identity Group option during evaluation of the endpoint policy for an endpoint. Cisco ISE includes the following system created endpoint identity groups:
|
Endpoint Import from LDAP Settings
Field Name |
Usage Guidelines |
||
---|---|---|---|
Connection Settings |
|||
Host |
Enter the hostname, or the IP address of the LDAP server. |
||
Port |
Enter the port number of the LDAP server. You can use the default port 389 to import from an LDAP server, and the default port 636 to import from an LDAP server over SSL.
|
||
Enable Secure Connection |
Check the Enable Secure Connection check box to import from an LDAP server over SSL. |
||
Root CA Certificate Name |
Click the drop-down arrow to view the trusted CA certificates. The Root CA Certificate Name refers to the trusted CA certificate that is required to connect to an LDAP server. You can add (import), edit, delete, and export trusted CA certificates in Cisco ISE. |
||
Anonymous Bind |
You must enable either the Anonymous Bind check box, or enter the LDAP administrator credentials from the slapd.conf configuration file. |
||
Admin DN |
Enter the distinguished name (DN) configured for the LDAP administrator in the slapd.conf configuration file. Admin DN format example: cn=Admin, dc=cisco.com, dc=com |
||
Password |
Enter the password configured for the LDAP administrator in the slapd.conf configuration file. |
||
Base DN |
Enter the distinguished name of the parent entry. Base DN format example: dc=cisco.com, dc=com. |
||
Query Settings |
|||
MAC Address objectClass |
Enter the query filter, which is used for importing the MAC address, for example, ieee802Device. |
||
MAC Address Attribute Name |
Enter the returned attribute name for import, for example, macAddress. |
||
Profile Attribute Name |
Enter the name of the LDAP attribute. This attribute holds the policy name for each endpoint entry that is defined in the LDAP server. When you configure the Profile Attribute Name field, consider the following:
|
||
Time Out |
Enter the time in seconds. The valid range is from 1 to 60 seconds. |
Endpoint Profiling Policies Settings
Field Name |
Usage Guidelines |
---|---|
Name |
Enter the name of the endpoint profiling policy that you want to create. |
Description |
Enter the description of the endpoint profiling policy that you want to create. |
Policy Enabled |
By default, the Policy Enabled check box is checked to associate a matching profiling policy when you profile an endpoint. When unchecked, the endpoint profiling policy is excluded when you profile an endpoint. |
Minimum Certainty Factor |
Enter the minimum value that you want to associate with the profiling policy. The default value is 10. |
Exception Action |
Choose an exception action, which you want to associate with the conditions when defining a rule in the profiling policy. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Exception Actions. |
Network Scan (NMAP) Action |
Choose a network scan action from the list, which you want to associate with the conditions when defining a rule in the profiling policy, if required. The default is NONE. The exception actions are defined in the following location: Policy > Policy Elements > Results > Profiling > Network Scan (NMAP) Actions. |
Create an Identity Group for the policy |
Check one of the following options to create an endpoint identity group:
|
Yes, create matching Identity Group |
Choose this option to use an existing profiling policy. This option creates a matching identity group for those endpoints and the identity group will be the child of the Profiled endpoint identity group when an endpoint profile matches an existing profiling policy. For example, the Xerox-Device endpoint identity group is created in the Endpoints Identity Groups page when endpoints discovered on your network match the Xerox-Device profile. |
No, use existing Identity Group hierarchy |
Check this check box to assign endpoints to the matching parent endpoint identity group using hierarchical construction of profiling policies and identity groups. This option allows you to make use of the endpoint profiling policies hierarchy to assign endpoints to one of the matching parent endpoint identity groups, as well as to the associated endpoint identity groups to the parent identity group. For example, endpoints that match an existing profile are grouped under the appropriate parent endpoint identity group. Here, endpoints that match the Unknown profile are grouped under Unknown, and endpoints that match an existing profile are grouped under the Profiled endpoint identity group. For example,
|
Parent Policy |
Choose a parent profiling policy that are defined in the system to which you want to associate the new endpoint profiling policy. You can choose a parent profiling policy from which you can inherit rules and conditions to its child. |
Associated CoA Type |
Choose one of the following CoA types that you want to associate with the endpoint profiling policy:
|
Rules |
One or more rules that are defined in endpoint profiling policies determine the matching profiling policy for endpoints, which allows you to group endpoints according to their profiles. One or more profiling conditions from the policy elements library are used in rules for validating endpoint attributes and their values for the overall classification. |
Conditions |
Click the plus [+] sign to expand the Conditions anchored overlay, and click the minus [-] sign, or click outside the anchored overlay to close it. Click Select Existing Condition from Library or Create New Condition (Advanced Option) . Select Existing Condition from Library: You can define an expression by selecting Cisco predefined conditions from the policy elements library. Create New Condition (Advanced Option): You can define an expression by selecting attributes from various system or user-defined dictionaries. You can associate one of the following with the profiling conditions:
Choose one of the following predefined settings to associate with the profiling condition:
|
Select Existing Condition from Library |
You can do the following:
|
Create New Condition (Advance Option) |
You can do the following:
|
Endpoint Context Visibility Using UDID Attribute
The Unique Identifier (UDID) is an endpoint attribute that identifies MAC addresses of a particular endpoint. An endpoint can have multiple MAC addresses. For example, one MAC address for the wired interface and another for the wireless interface. The AnyConnect agent generates a UDID for that endpoint, and saves it as an endpoint attribute. The UDID remains constant for an endpoint; the UDID does not change with the AnyConnect installation or uninstallation. When using UDID, Context Visibility window (Context Visibility > Endpoints > Compliance) displays one entry instead of multiple entries for endpoints with multiple NICs. You can ensure posture control on a specific endpoint rather than on a Mac address.
Note |
The endpoint must have AnyConnect 4.7 or higher to create the UDID. |